Securing REST APIs

9,775 views

Published on

Slides from Apache Shiro User Group presentation by Les Hazlewood on API design and RESTful API security using Shiro. Demonstrates design and security principles using Stormpath API.

Published in: Technology, Design
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
9,775
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
195
Comments
0
Likes
8
Embeds 0
No embeds

No notes for slide

Securing REST APIs

  1. 1. Securing  REST  APIs   Les  Hazlewood   Apache  Shiro  Project  Chair   CTO,  Stormpath  
  2. 2. Topics   •  General  API  Best  Prac:ces   •  Statelessness   •  Authen:ca:on   •  Authoriza:on  (access  control)  
  3. 3. General  REST  API  Best  Prac=ces   •  Base  URL   •  Integer  Version   •  HTTP  vs  HTTPS   •  Nice  Error  Representa:ons  
  4. 4. Base  URL  +  Version   hHps://api.stormpath.com/v1  
  5. 5. Error  Representa=on   •  HTTP  Status  Code   •  Applica:on-­‐specific  Error  Code  (18  4xx,  6  5xx)   •  End-­‐user  Message   •  Developer  Message   •  More  Info  URL  
  6. 6. Error  Representa=on  Example   HTTP/1.1  404  Not  Found     {          "status":  404,          "code":  404,          "message":  "Oops!  That  applica:on  cannot  be  found.",          "developerMessage":  "The  specified  Applica:on  cannot  be  found.     If  you  accessed  this        url  via  a  stale  href  reference,  it  might  be   helpful  to  acquire  the  tenant's  Applica:on  Collec:on  Resource  to   obtain  the  current  list  of  applica:ons.",          "moreInfo":  "hHp://www.stormpath.com/docs/errors/404"   }  
  7. 7. Statelessness   •  No  sessions!   Session  clustering  (and  all  that  it  implies)   •  How  do  you  prevent  sessions?   Your  code?   Framework  code?    
  8. 8. NoSessionCreationFilter [main] … [urls] /v1/** = noSessionCreation, authcBasic, …  
  9. 9. Authen=ca=on   •  What  is  safe?   •  SSL  –  server  vs  client   •  Username/Password,  BASIC  authen:ca:on   •  API  Keys   •  What  is  OAuth?  
  10. 10. HTTP  Basic  Authen=ca=on   [main] … [urls] /v1/** = ssl, noSessionCreation, authcBasic, …  
  11. 11. OAuth   •  Protocol   •  Designed  for  3  par:es,  can  be  used  for  2   •  1.0a  vs  2.0   •  Signature  algorithm  (HMAC)   •  Shiro  &  Scribe  
  12. 12. Authoriza=on   •  Filter   •  Excep:on  handling  
  13. 13. HEpMethodPermissionFilter   [main] rest = org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter [urls] /v1/user = noSessionCreation, authcBasic, rest[user] /v1/** = noSessionCreation, authcBasic
  14. 14. Excep=on  Handler   •  Annota:on  or  asser:on   •  MVC  framework  or  JSP  ‘catch  all’  à  JSON   @RequiresPermission   public  void  doSomething()  {  …}     subject.checkPermission(“user:read”);  

×